Details of VAR-201501-0218

ID

VAR-201501-0218

CVE

CVE-2015-0581

TITLE

Cisco Prime Service Catalog of XML Vulnerability in parser to read arbitrary files

Trust: 0.8

sources: JVNDB: JVNDB-2015-001264

DESCRIPTION

The XML parser in Cisco Prime Service Catalog before 10.1 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in conjunction with an entity reference, as demonstrated by reading private keys, related to an XML External Entity (XXE) issue, aka Bug ID CSCup92880. (CPU And memory consumption ) There are vulnerabilities that are put into a state. This case XML External entity (XXE) Vulnerability related to the problem. Vendors have confirmed this vulnerability Bug ID CSCup92880 It is released as. Supplementary information : CWE Vulnerability type by CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (XML Inappropriate restrictions on external entity references ) Has been identified. Attackers can exploit this issue to obtain potentially sensitive information or cause a denial-of-service condition. This may lead to further attacks. The solution supports automated ordering of a unified service catalog of computing, networking, storage, and other data center resources

Trust: 1.98

sources: NVD: CVE-2015-0581 // JVNDB: JVNDB-2015-001264 // BID: 72350 // VULHUB: VHN-78527

AFFECTED PRODUCTS

vendor:	cisco	model:	prime service catalog	scope:	lte	version:	10.0	Trust: 1.0
vendor:	cisco	model:	prime service catalog	scope:	lt	version:	10.1	Trust: 0.8
vendor:	cisco	model:	prime service catalog	scope:	eq	version:	10.0	Trust: 0.6

sources: JVNDB: JVNDB-2015-001264 // CNNVD: CNNVD-201501-667 // NVD: CVE-2015-0581

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-0581
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-0581
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201501-667
value:	HIGH
Trust: 0.6
VULHUB:	VHN-78527
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-0581
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:S/C:C/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	7.8
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-78527
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:S/C:C/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	7.8
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-78527 // JVNDB: JVNDB-2015-001264 // CNNVD: CNNVD-201501-667 // NVD: CVE-2015-0581

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2015-001264 // NVD: CVE-2015-0581

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201501-667

TYPE

Design Error

Trust: 0.3

sources: BID: 72350

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-001264

PATCH

title:	cisco-sa-20150128-psc-xmlee	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-psc-xmlee	Trust: 0.8
title:	4971/0	url:	http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=4971&signatureSubId=0&softwareVersion=6.0&releaseVersion=S847	Trust: 0.8
title:	4971/1	url:	http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=4971&signatureSubId=1&softwareVersion=6.0&releaseVersion=S847	Trust: 0.8
title:	37136	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=37136	Trust: 0.8

sources: JVNDB: JVNDB-2015-001264

EXTERNAL IDS

db:	NVD	id:	CVE-2015-0581	Trust: 2.8
db:	BID	id:	72350	Trust: 1.4
db:	SECTRACK	id:	1031658	Trust: 1.1
db:	JVNDB	id:	JVNDB-2015-001264	Trust: 0.8
db:	CNNVD	id:	CNNVD-201501-667	Trust: 0.7
db:	CISCO	id:	20150128 CISCO PRIME SERVICE CATALOG XML EXTERNAL ENTITY PROCESSING VULNERABILITY	Trust: 0.6
db:	VULHUB	id:	VHN-78527	Trust: 0.1

sources: VULHUB: VHN-78527 // BID: 72350 // JVNDB: JVNDB-2015-001264 // CNNVD: CNNVD-201501-667 // NVD: CVE-2015-0581

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20150128-psc-xmlee	Trust: 1.7
url:	http://www.securityfocus.com/bid/72350	Trust: 1.1
url:	http://www.securitytracker.com/id/1031658	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0581	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-0581	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-78527 // BID: 72350 // JVNDB: JVNDB-2015-001264 // CNNVD: CNNVD-201501-667 // NVD: CVE-2015-0581

CREDITS

Alexios Dimitriadis and Cisco

Trust: 0.3

sources: BID: 72350

SOURCES

db:	VULHUB	id:	VHN-78527
db:	BID	id:	72350
db:	JVNDB	id:	JVNDB-2015-001264
db:	CNNVD	id:	CNNVD-201501-667
db:	NVD	id:	CVE-2015-0581

LAST UPDATE DATE

2024-11-23T22:27:12.537000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-78527	date:	2015-09-17T00:00:00
db:	BID	id:	72350	date:	2015-01-29T00:00:00
db:	JVNDB	id:	JVNDB-2015-001264	date:	2015-01-30T00:00:00
db:	CNNVD	id:	CNNVD-201501-667	date:	2015-01-29T00:00:00
db:	NVD	id:	CVE-2015-0581	date:	2024-11-21T02:23:21.463

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-78527	date:	2015-01-28T00:00:00
db:	BID	id:	72350	date:	2015-01-29T00:00:00
db:	JVNDB	id:	JVNDB-2015-001264	date:	2015-01-30T00:00:00
db:	CNNVD	id:	CNNVD-201501-667	date:	2015-01-29T00:00:00
db:	NVD	id:	CVE-2015-0581	date:	2015-01-28T22:59:02.937